CVE-2020-36245: GramAddict bot uses dependency with reverse tcp backdoor
(updated )
GramAddict before 1.2.5 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being on the same Wi-Fi network.
References
- github.com/GramAddict/bot
- github.com/GramAddict/bot/commit/b9d11691b2fb13749c3cd0f75c70ee31242053ce
- github.com/GramAddict/bot/issues/134
- github.com/GramAddict/bot/pull/183
- github.com/advisories/GHSA-q5h6-49gg-2wfg
- github.com/pypa/advisory-database/tree/main/vulns/gramaddict/PYSEC-2021-65.yaml
- nvd.nist.gov/vuln/detail/CVE-2020-36245
Detect and mitigate CVE-2020-36245 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →